[Devel] Processing REGISTER requests

Daniel-Constantin Mierla daniel at voice-system.ro
Fri Oct 7 11:40:52 CEST 2005


On 10/06/05 18:45, Dan Pascu wrote:

>On Thursday 06 October 2005 15:24, Daniel-Constantin Mierla wrote:
>  
>
>>>1. take one sip account joe at domain.com and configure 2 phones in 2
>>>different networks with that account and assign the same private IP to
>>>both phones. They will overwrite each ones registration.
>>>      
>>>
>>With same private ip, the risk to have same call-id increases.
>>    
>>
>
>First I'd like to see some evidence of this. If you or someone else was 
>able to find such duplicate call-ids then please post your findings. Type 
>of UA that generates them, how often do they happen, etc. I hate to speak 
>on hypotheses, but so far this is what we did. I watched over my contact 
>database and I haven't yet spotted a duplicate call-id, except when 
>coming from the same phone and ser decided to add the contact because the 
>IP/port changed. But this is not a duplicated call-id.
>  
>
I am not service provider and I do not have a large database of contacts 
and phones. Except that there are multiple contacts in the database, 
most of the things we talked about are hypotheses, like roaming between 
wireless hotspots and stealing identities, but we all admit that may happen.

What I argumented has reality and specification fundaments and you 
cannot contest this. I cannot remember all devices I tested over 4 years 
along with their bugs, features and where I met them. The mailing list 
is to discuss and find the best possible solution. I have never said 
that what you propose is not the best compromise one can made for the 
moment, I just pointed out that there are flaws is this solution.

>Next, that's the whole point. With this method you only have some risk, 
>with the current method is certain.
>  
>
And if I am not wrong, your call-id lookup will not totally prevent from 
identity theft, since migrating to a new hotspot, a new IP will be 
assigned, and the most of the phones uses IP address in the callid, then 
the call id will change and your old contact will not be updated. Have 
you tested this roaming between hotspots? As I said, generalizing a 
single experience is not the best solution and we should keep the issue 
open for discussion.

>  
>
>>Agree, it is what I want to avoid, better have multiple contact
>>addresses rather that overwrite other's contact. Lowering the expire
>>    
>>
>
>It's not better by any measure. I look in the contacts database and I see 
>I have 3 registered phones, while I only have 1 (your users will make 
>some conclusions about how reliable you are if you can't even keep track 
>correctly of them being online).
>  
>
There will be a parallel fork, having two failed branches. This is not 
nice and should be avoided, but in a proper way. Sometimes, in certain 
deployments, when the provider knows that the user has only one phone, 
this can be limited by tunning the registrar module (parameter 
desc_time_order).

>Then it opens you to security issues and identity theft.
>  
>
This is only in case of migration in other networks, risk which may not 
be avoided even if you base the lookup on call-id, as I said above. 
Staying in the same network and IP, the risk is reduced.

Cheers,
Daniel

>I wouldn't say it's better, only that the problems it raises are more 
>bearable.
>
>And overwrite vs duplicate it's not your choice. If you use 
>fix_nated_register() you will suffer from overwrites, if you use 
>fix_contact() you suffer from duplicates.
>
>  
>



More information about the Devel mailing list